Acts 2017
498
scope, context and purposes, every controller or processor shall, prior to
the processing, carry out an assessment of the impact of the envisaged
processing operations on the protection of personal data.
(2)
(3)
The processing operations referred to in subsection (1) are –
(a)
a systematic and extensive evaluation of personal aspects
relating to individuals which is based on automated
processing, including profiling, and on which decisions
are based that produce legal effects concerning the
individual or significantly affect the individual;
(b)
processing on a large scale of special categories of data
referred to in section 29;
(c)
a systematic monitoring of a publicly accessible area
on a large scale;
(d)
any other processing operations for which consultation
with the Office is required.
An assessment shall include –
(a)
a systematic description of the envisaged processing
operations and the purposes of the processing,
including, where applicable, the legitimate interest
pursued by the controller or processor;
(b)
an assessment of the necessity and proportionality of
the processing operations in relation to the purposes;
(c)
an assessment of the risks to the rights and freedoms of
data subjects;
(d) the measures envisaged to address the risks and the
safeguards, security measures and mechanisms to
ensure the protection of personal data and to demonstrate
compliance with this Act, taking into account the rights
and legitimate interests of data subjects and other
persons concerned.